Sweden’s data breach: a cautionary tale

Another week, another data incident. The GDPR is arriving none too soon. Let’s hope that it can slow the tide that is washing our personal data out into the internet data-ocean.

This time the victims are the citizens of Sweden, or at least those who have a vehicle registered, are in the police or military, or who are protected witnesses. In other words, a nightmare scenario, which clearly would be a violation of the GDPR (that is, when it comes into force some ten months from now).

How could such a thing happen? While one’s first reaction is that it must have been a huge screw-up by somebody, it could well have been a collection of all-too-common circumstances. From link:

The maintenance of the Transport Agency’s vehicle and licence register was outsourced to IBM in April 2015 in order to save money. But the transfer took place under time pressure, because the Swedish Transport Administration (Trafikverket) which previously ran the register had already started letting staff go, and Ågren [the Swedish transport director at the time] said she saw no other option than to bypass the usual security rules. [emphasis added]

As it turned out, the Swedes’ problem was not even the result of a single error or misdeed link:

The leak seems to have happened over email after the transport agency e-mailed the entire database in clear text messages to marketers that subscribe to it – and when the error was discovered, the agency merely sent a new list and told subscribers to delete the old list themselves. [emphasis in original]

The source above, a technically-oriented site, emphasizes that the messages were sent in plain text, that is, un-encrypted. This means that not only the intended recipients (the outsourcing company and the marketers) but anyone who had access to the email system (or to the network path) of any of the parties also had access to the information.

I would emphasize the word ‘marketers’; the information was simply given (or sold) to third parties, who were free, for all we know, to do as they pleased with it, even to re-sell it downstream. You don’t even need the usual suspects (bad insiders, hackers) to hurt you; the intended recipients can do a lot of damage. If there were multiple errors, the decision to hand PII to marketers was the biggest.

This was neither a technical issue nor a lack of technical knowledge. It is likely that nobody in the chain of actions perceived privacy as a problem. Nor was this a security issue; nobody broke in to the system, nobody disobeyed policies. You can have a serious GDPR breach without a security breach; naive or misguided policy is enough.

I don’t want to single out the Swedes, since I have seen all of these practices elsewhere, though not on a single project. Beyond the mind-boggling marketers decision, I see at least the following GDPR-compliance problems.

a casual attitude about the sensitivity of data

the ability of staff to extract entire databases

widespread outsourcing and/or cloud storage being embraced as panaceas for perceived high costs

email as the channel for sending the data

breach concealment, leaving victims unaware that they are vulnerable

super-sensitive PII having no additional protection

I have no ideas on how to deal with number 1. Yes, the usual training-awareness stuff will be floated, but for all I know such training was already in place.

Number 2: I believe that GDPR compliance implicitly requires that no one person be able to make a ‘big gulp’, that is, to take a large volume of PII all at once. Any such person is a data risk. Large volumes should be confined to aggregated data that has (at most) a low likelihood of identifying individual persons.

I had planned a future post on this topic (alas, events are running ahead of me). In most IT shops a certain group of mostly-technical people has this ability; here it seems likely that even low-level, non-technical staff had this kind of access as well, or else they were assisted by technical staff who failed to raise the alarm.

To be fair, it sounds as if staff feared for their jobs by that time and would be understandably reluctant to make targets of themselves by raising concerns. This might well be treated as a separate risk; employees who worry about their jobs, or have already been told when their last day is, will be reluctant to object to whatever they are told to do. The first group wants to stay employed, while the second group knows that they are leaving and thus have no reason to bother (if, indeed, anyone would heed the warnings of a laid-off staffer).

Number 3: Almost every large IT shop that is not constrained by existing data-protection laws (e.g., medical privacy, bank secrecy) is already engaged in shipping its data to cloud and outsourcing vendors.

The business model of these vendors is to achieve high profits through economies of scale (cloud) and labor arbitrage to low-cost countries (outsourcing), both of which complicate GDPR if the data is to be sent outside of the EU. As the Swedish case makes clear, even the mode of transmission constitutes a risk.

Number 4: Email is the lowest common denominator of ways to move data around, and possibly the most vulnerable, especially over the public internet. Putting aside the risk of intercepted transmission, email sits in the in-box of its recipients (and the out-box of the sender) indefinitely (that is, you’re not likely to find it when you compile your inventory of sensitive data), exposing it to whoever administers or has super-user access to the email system.

Number 5: The events described in the press occurred in 2015, but the Justice Ministry informed the prime minister only in 2017 (link), meaning that potential victims have been at risk for a year or more without being aware of it. Prior warning could have prevented users from falling prey to, say, email malware or phishing scams.

In spite of the GDPR’s notification requirements, there will normally be powerful incentives to conceal a breach, especially if you can claim that there is no evidence of its having been exploited. Concealment appears to have been the initial strategy in this case. (link).

Number 6: The leaking of PII on protected witnesses, police, and military forces, whose identities are officially secret. This has the highest possible potential impact, that is, putting data subjects’ lives at risk. There is no upper bound on the damage that can be caused by just one data exposure, and no adequate metric of the ultimate cost.

I think that a risk-managed GDPR implementation would identify super-secret data and give it extra protection; after all, the impact of its leakage is greater.

The minority government has said that contract process – won by IBM Sweden – was speeded up, bypassing some laws and internal procedures in a manner that may have led to people abroad, handling servers with sensitive materials.

As Reuters reports, the scandal has raised questions about the way it has been handled within the government. The security police informed the Justice Ministry in late 2015 but Lofven said he only found out about it early this year.

Lofven said Anna Johansson, minister of infrastructure and responsible for the Transport Agency, had not passed information on to him.

Johansson on Sunday in turn blamed one of her former state secretaries for not informing her about the scandal. [emphasis added]

Note the passive language, saying that the process “was speeded up”, which avoids naming whoever made the decision. Not only that, but laws and procedures were not violated, merely ‘bypassed’. Concealment is not a one-time event, but an ongoing process (link), first to hide the breach, failing that to downplay the danger it poses, then divert blame, find excuses, and so forth. Normal public relations, in other words, that we can expect from all post-breach data processors and controllers.

The Transport Agency said on Monday it had no indications sensitive material had actually ended up in the wrong hands, but Lofven said the government had initiated an investigation into what had happened, vowing to tighten laws for handling of sensitive material.

Just because you have no evidence does not mean that nothing happened (absence of evidence is not equivalent to evidence of absence). In any case, a competent exploiter of the data would take care not to provide that evidence. Even worse, as far as tightening the laws goes, the horse is out of the barn now; that data is out there forever, in unknown hands, and possibly spreading.

If everyone’s responsible, then no one is. The GDPR’s mandate to appoint a DPO is a tacit acknowledgement of this problem. But would a DPO in this case have the ability to overrule decisions of government ministers to hand citizens’ data to marketers? Would the DPO even have been informed, given that the prime minister was not? If you, as DPO, are overruled by higher-ups, what are your options (report your employer to the DPA, threaten to quit)?

Suppose that this incident occurred in the GDPR-protected future. How do you penalize the Swedish government? Was anyone in this case accountable, other than the transport director (who was fined a mere 2 weeks’ pay)? Sure, the EU could levy a fine, but it would be paid by the Swedish taxpayer, that is, the victims of the breach. The same can be said for the IT operations of local governments and state-owned enterprises. The voters may punish the Swedish ministers, but the EU would not be likely to, even under GDPR.

What about banks? Is the EU really going to come down hard on the same banks that it spent uncounted billions to save from bankruptcy a few years back?

My point here is that, for many holders of the most sensitive data, can we say that the GDPR’s threat of fines is really credible? Do decision-makers in the public or quasi-public sector really have any personal ‘skin in the game’ (link)? Given the large share of EU economies taken by public and protected entities, this is a fundamental question and a possible Achilles’ heel to the GDPR’s ultimate effectiveness.

I expect more big breaches to appear in the news in coming months. Let us at least hope that there are no more on the scale of this one. All of us living in the EU have skin in this game.

Post navigation

Step 9 of the Belgian Privacy Commission’s guide to getting started with GDPR compliance concerns detecting, analyzing, and dealing with the fall-out of a data breach. The recent recall and re-issue of Estonia’s smartcard IDs brought home to me that public relations (PR) planning is an essential part of breach preparation, not to protect the […]